The average cost of a data breach in the healthcare industry is $6.75 million according to a Kroll study.
You don’t have to be a selfie-taking celebrity these days to worry about the safety of your private information and files.
In fact, as Meaningful Use Stage Two and Obamacare force more and more practices to use electronic medical records software, doctors and office managers need to pay more and more attention to the security of their patients’ digital records.
But many of them are doing it poorly.
Recent research found that 90% of hospitals and clinics lose their patients’ data.
If you’re a small practice physician you may not think you have the time or expertise to properly protect sensitive health records.
Luckily, you’re wrong.
By following just a few basic procedures and putting into place some simple precautions (above and beyond those required by HIPAA), you can keep your patients’ information out of the hands of malicious hackers.
1. Choose a secure EMR software system
Because your time is valuable, this is the most important, number one thing you can do to secure patient medical records.
A good EMR vendor will handle a lot of the security needs for you, including encrypting files, having protected backups, and keeping an activity log for future audits. Because this is their main job, they can devote a lot more time and resources to it than you can, making this type of security outsourcing ideal for the busy doctor.
Here’s what to look for in a secure EMR:
- SaaS or web-based offering: This ensures you have no local NPI/ePHI files on your computer. With cloud-based software these files will all reside at the vendor’s data centers where biometric security and high levels of encryption will keep them safe.
- Continuous updates: Community Health Systems lost 4.5 million names and social security numbers in a hack because they hadn’t updated their systems to protect against the Heartbleed bug. Make sure to evaluate a vendor’s update schedule to see how frequently they patch the software and fix any security flaws. Often you can find updates listed in a vendor’s blog or news section of their website.
- Certified for Meaningful Use: Because Meaningful Use requires an EMR to meet certain safety standards, this is a good measure of how secure the software is. Many vendors display this certification proof on their website. If not, ask to see a vendor’s certification (or look it up at the government’s Certified Health IT Product List).
While getting a top-notch EMR should be your first priority security-wise, be aware: it is not a panacea and you are still responsible for the security of any data on your office and local computers, and of any files you transfer between computers or between your local system and the EMR.
Don’t let the fact that you have a great EMR software make you lazy when it comes to data protection.
2. Encrypt, encrypt, encrypt
Just because you have a secure, cloud-based EMR system, doesn’t mean you’re in the clear when it comes to protecting leftover NPI/ePHI files on your local computers and office system.
If you keep any data beyond your employee schedules on office computers, you need to encrypt it.
Luckily, new Windows and Mac operating systems contain tools to allow you to do this painlessly (and if you’re not using new versions of the operating systems, your first step should be to upgrade since these will be the most secure; still using Windows XP is absolutely unacceptable if you care about data security).
- For Windows: BitLocker is an encryption tool automatically included in all Windows OSs starting with Windows 7. It can encrypt whole drives, as well as data on removable drives like USB and thumb drives. However, beware: any files you copy from an encrypted drive to another computer or drive will be automatically decrypted, so don’t assume BitLocker will protect files in transit (such as those sent over email).
- For Mac: FileVault is the Apple version of BitLocker, and serves much the same function, letting you encrypt drives on your computer. As with BitLocker, any files removed from the encrypted drive are no longer encrypted and will be unsecure.
Using these tools is as simple as clicking “enable” and choosing a drive to encrypt and a password, so you have no excuse not to use them for any sensitive patient data still residing on your local computers.
When sending files and emails ensure that they, too, are encrypted.
- For Outlook: Microsoft provides instructions for obtaining a private key and sending encrypted messages that can only be opened by someone with their own certified private key. This includes the ability to encrypt attachments.
- For Apple Mail: While Apple recently implemented automatic encryption for email in transit, if you send a file or email from your Apple account to someone who is not using an encrypted email service, it will still be sent to them unencrypted. To ensure this doesn’t happen, download a security certificate, use it in your Apple Mail, and only send email to people who are also authenticated with one (a “public key”).
- For Gmail:Addons and extensions exist to make Gmail encryption as painless as possible, but will still require you to be communicating with someone else who is using encrypted email for any files sent over the service to be secure.
By taking the time to set up these systems now, you’ll be securing local patient data for a good long time to come. It’s a worthwhile investment.
3. Cut down on human error
Most hacks that result in data breaches are a result, not of flaws in the encryption or security system being used, but of simple, dumb mistakes by users.
You can minimize the chances of these happening by observing a few, common sense security rules:
- Set everything to automatically update: Old versions of software are security breaches waiting to happen. Make sure your operating system, email program, and anything else on your computer is set to automatically download and install new updates from the vendor.
- Set computers to automatically lock and hibernate: All the encryption in the world won’t help you if you leave an unattended, open computer around. In the system settings make sure to set your computer to automatically lock and hibernate (not “sleep” since this mode is vulnerable to hacks) when not in use for a few minutes.
- Don’t use mobile devices to access data: While convenient, mobile devices like smartphones and tablets have a whole host of additional security risks and flaws, and their portability means they have a much greater chance of being lost or stolen.
- Don’t allow computers to leave the office: Employees bringing laptops home to work, or working from a home computer, hugely increases the chance of data being lost or stolen. You can’t verify the security of an employee’s private computer, and even you can’t be trusted not to lose a laptop while on vacation in Hawaii.
- Limit who has access: The janitor does not need a login to your office computer. Limit who can access patient data to only the absolute minimum necessary. If someone in the office only needs to access it occasionally, force them to go through another employee rather than giving them full access. This minor hassle to them is worth it to protect patient records.
- Pick good passwords: If your password is “password” or “123abc” your patients’ data is not secure, no matter how many layers of encryption you have. Security expert Bruce Schneier recommends converting a personally memorable sentence into a unique password (so that “When I was seven, my sister threw my stuffed rabbit in the toilet” becomes “WIw7,mstmsritt…”).
- Schedule security audits: HIPAA actually requires this, but set up a calendar reminder so that you take a day every few months to check (or have an external expert check) that your security procedures are still up to snuff and running correctly.
- Practice good email security: Don’t open attachments from people you don’t know, don’t click on links from people you don’t know, confirm the email address matches with the name of the sender, as these can be falsified, and don’t send or save unencrypted files or attachments.
These may seem obvious, but this is where practices and hospitals most often slip up.
Again, most of these are processes you can “set and forget;” they will require some time to set up, but less time to maintain. They are ideal for doctors concerned with security but who are busy running their practice and seeing patients.
Do you have other suggestions for tools or best practices to protecting patient information? How does your practice or hospital manage it?
Share your thoughts in the comments!